Access Control List in Linux

Bi vit cung cp nn tng v chc nng chnh ca ACLs trong h thng file ca Linux. Bn cng s
hc c cch m rng cc khi nim permissions truyn thng vi ACLs v nhng thun li trong
vic cung cp khi nim ny.

I. Thun li ca ACLs
Thng thng 1 file trong Linux c 3 quyn: r, w, x vi 3 nhm ngi dng: owner, group, other. 9
bits ny c s dng xc nh c tnh cho tt c cc h thng file trong Linux. Thm vo ,
SUID, SGID, sticky bit c th c dng trong cc trng hp c bit.
ACLs c s dng trong trng hp m cc khi nim permission ca file thng thng khng c
hiu lc. Chng cho php gn quyn cho mt ngi, hoc mt nhm c nhn thm ch khng tng
ng vi owner hoc owning group. ACLs h tr cc h thng file ReiserFS, Ext2, Ext3, JFS, XFS.
Bn c th thy r thun li ca ACLs khi thay th 1 server chy Windows bng 1 server chy
Linux. Mt s trm kt ni vn c th chy trn Windows ngay c sau khi chuyn i. H thng
Linux s chuyn cc file v dch v v clients chy windows vi Samba. Samba cng h tr ACLs
v lc quyn ca ngi dng c th c cu hnh trn c Linux v Windows bng GUI.
winbindd cn c kh nng gn quyn cho user ch tn ti trn Windows domain m ko c account
no trn Linux server. Mt khc bn c th chnh sa ACLs vi getfacl v setfacl

II. nh ngha
POSIX s dng 3 lp ngi dng gn quyn cho h thng file.
-

Access ACL: p dng cho c file v th mc

Default ACL: ch p dng cho th mc. Chng xc nh quyn k tha t th mc cha khi
c to.

ACL entry: Mi ACL s bao gm 1 tp hp ACL entries. Mt ACL entry s cha 1 loi, 1
hn nh m user hoc group n tham chiu n, v mt tp hp cc quyn.

III. Handing ACLs

III.1. Cu trc ca ACLs entries
V c bn, ACL chia thnh 2 lp: minimum ACL ch n gin gm cc quyn nh h thng file
truyn thng. Extended ACL m rng hn, n cha ng 1 mask entry, v c th bao gm cc
entries cho loi named user, named group. Cc permission c nh ngha trong owner v other
lun lun c hiu lc. Ngoi tr mask entry th cc entries khc lun c hiu lc hoc l c
masked. Nu cc quyn tn ti trong 1 hoc 1 s entry trn c mask th chng cng c hiu lc.
Permission ch cha mask hoc duy nht 1 entry thc s th s khng c hiu lc.

III.2. ACL entries v File mode permission bits

ACL c cu to theo 3 khi:
-

Khng c mask: owning group map vi group class

c mask: mask map vi group class

Qu trnh map ny m bo vic tng tc gia cc ng dng c v khng c h tr bi ACLs.

Quyn truy cp c gn bi bit quyn i din cho gii hn cao nht. Tt c cc quyn khng phn
nh y hoc l ko c gn trong ACL hoc l khng c hiu lc.
III.3. Mt th mc vi truy cp ACL
Vic x l ACL c gii thch theo 3 bc:
-

To file

Chnh ACL

Dng masks

Trc khi to th mc hy dng umask xc nh quyn truy cp ban u.

$ umask 027

Sau to mydir:
$ mkdir mydir

Sau khi to mydir hy dng ls -dl kim tra li l quyn c gn chnh xc:
$ ls -dl mydir/
drwxr-xr-x 2 quanta quanta 4096 2007-12-29 22:53 mydir/

Kim tra trng thi khi u ca ACL v chn mt new user v new group entry
$ getfacl mydir/
# file: mydir
# owner: quanta
# group: quanta
user::rwx
group::r-x
other::---

u tin hy th chnh sa bng cch: gn quyn c, ghi, thi hnh cho user kitty v group friends:
$ setfacl -m user:kitty:rwx,group:friends:rwx mydir/

Tu chn -m s nhc setfacl chnh sa mt ACL tn ti.

Th xem kt qu vi lnh getfacl xem sao:
$ getfacl mydir/
# file: mydir
# owner: quanta
# group: quanta

user::rwx
user:kitty:rwx
group::r-x
group:friends:rwx
mask::rwx
other::---

Ngoi cc entries khi to cho user kitty v group friends, mask entry cng c to ra. mask entry
ny c gn t ng gim thiu s lng cc entries trong group class gi tn thng thng.
mask nh ngha quyn truy cp c hiu lc ln nht cho tt c cc entries trong group class: named
user, named group, owning group. Do , mask entry tng ng vi bit quyn ca group class c hin th bng lnh ls -dl
$ ls -dl mydir/
drwxrwx---+ 2 quanta quanta 4096 2007-12-29 22:53 mydir/

Ch : ct u tin ca output cha ng mt du +, y l k t i din cho mt extended ACL

Theo output trn, permission ca mask entry cng bao gm quyn write, theo owning group
cng c quyn write th mc mydir.
By gi th dng chmod hoc setfacl disabled quyn write ca group class xem sao, output ca
lnh ls cho thy mask bits c iu chnh vi chmod:
$ sudo chmod g-w mydir/
$ getfacl mydir/
# file: mydir
# owner: quanta
# group: quanta
user::rwx
user:kitty:rwx

#effective:r-x

group::r-x
group:friends:rwx

#effective:r-x

mask::r-x
other::---

III.4. Mt th mc vi default ACL

default ACL nh ngha tt c cc quyn truy cp k tha t th mc ny khi n c to. default
ACL nh hng n cc th mc con cng nh l cc files.
III.4.1. nh hng ca Default ACLs
V c bn quyn ca ACL c handled theo 2 cch:
-

1 th mc k tha default ACL t th mc cha

1 file k tha t default ACL v n s hu Access ACL

Tt c cc h thng to file u s dng mode parameter nh ngha quyn truy cp cho file mi
c to:
-

Nu th mc khng c default ACL,mt s giao nhau gia cc quyn trong mode parameter
v trong umask hin ti s c to v gn cho i tng

Nu default ACL tn ti trong th mc cha, bit quyn c xc nh theo s giao nhau gia
gi tr ca mode parameter v quyn nh ngha trong default ACL, v c gn cho i
tng.

III.4.2. ng dng ca default ACLs

-

To mt default ACL cho mt th mc tn ti

To mt th mc con trong th mc c default ACLs

To mt file trong th mc c default ACLs

Thm mt default ACLs vo mt th mc tn ti mydir:

$ setfacl -d -m group:friends:r-x mydir/

Tu chn -d s nhc setfacl thc hin mt "chnh sa" trn default ACLs
Xem kt qu ca lnh ny:
$ getfacl mydir/
# file: mydir
# owner: quanta
# group: quanta
user::rwx
user:kitty:rwx

#effective:r-x

group::r-x
group:friends:rwx

#effective:r-x

mask::r-x
other::--default:user::rwx
default:group::r-x
default:group:friends:r-x
default:mask::r-x
default:other::---

getfacl s tr v c access ACL v default ACL.

Tip theo th to mt th mc con trong mydir, th mc con ny k tha default ACL t mydir:
$ mkdir mydir/mysubdir
$ getfacl mydir/mysubdir/
# file: mydir/mysubdir
# owner: quanta

# group: quanta
user::rwx
group::r-x
group:friends:r-x
mask::r-x
other::--default:user::rwx
default:group::r-x
default:group:friends:r-x
default:mask::r-x
default:other::---

access ACL ca mysubdir phn nh chnh xc default ACL ca mydir.

S dng touch to mt file trong th mc mydir:
$ touch mydir/myfile
$ ls -l mydir/myfile
-rw-r-----+ 1 quanta quanta 0 2008-01-07 00:59 mydir/myfile
$ getfacl mydir/myfile
# file: mydir/myfile
# owner: quanta
# group: quanta
user::rwgroup::r-x

#effective:r--

group:friends:r-x

#effective:r--

mask::r-other::---